12-31-2009 05:20 PM - edited 03-11-2019 09:52 AM
ASA version 8.2
I ran the IPsec wizard on my 5510 for remote access. It would seem that by default ISAKMP is enabled on both the inside and outside interfaces. Furthermore, my default dynamic crypto map is enabled on both the inside and outside interfaces. I would like to enable RRI for pools of addresses assigned to my remote workers. Right now I have static routes - I'd ideally like RRI and redistribution. Enabling RRI fails due to the fact that the dynamic mapping exists on multiple interfaces. When I try to delete the map from the inside interface, it deletes the outside map as well. So my questions are these:
1. Should I have ISAKMP enabled on my inside interface if I'm terminating my VPN tunnels on the outside interface?
2. Is having ISAKMP enabled on the inside interface the reason why deleting the dynamic crypto map on the inside interface also deletes it from the outside interface? (this occurs in the ASDM, haven't tried it on the CLI).
I can concede that I may have to configure this manually on the CLI as opposed to wizards due to the advanced configuration to enable RRI. Any thoughts/suggestions would be appreciated.
Regards,
Scott
12-31-2009 05:40 PM
I couldn't wait - I disabled ISAKMP and the dynamic map on the inside interface. I was able to configure RRI on the outside interface. I see the static entry on the ASA for the reverse route, but it doesn't appear in the EIGRP topology table. And without it showing up in the topology table, it's not being advertised to neighbors. Now what?
Regards,
Scott
12-31-2009 07:07 PM
Scott,
Pls. refer this link below:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml
The link will talk about ospf.
I did a quick research but didn't find any known issues with RRI and redistribution in 8.2.x code.
-KS
11-18-2010 09:03 PM
i configured RRI on my asa for a site to site vpn tunnel. however when the tunnel is down the route is still advertised to the network therefore preventing it from going via our altrenative path.
does anybody know how to stop redistributing a remote subnet when the tunnel is down?
11-19-2010 12:43 AM
Hi,
You could use SLA monitoring to help your purpose for L2L VPN's.
Instead of using RRI, you could configure a static route to the remote network via your primary link and a back route to the remote network via your back link.
Configure SLA tracking on the primary route. This should bring your back up route up if the VPN tunnel is down.
Be sure to ping a host in the remote private network for the SLA tracking,
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
10.0.0.1 being a device in the remote network at the other end of the VPN tunnel.
Let me know if you have any questions.
Cheers,
Nash.
11-19-2010 05:32 AM
this might be a problem since the remote host will respond to icmp going via the backup link.
11-19-2010 05:56 AM
The backup link would not have the same ingress interface as the Primary link. Would it ?
If so we got a problem.
Cheers,
Nash.
11-19-2010 06:00 AM
the backup link will be from the inside interface. coming off lets say mpls network or another vpn device.
the primary link will be from vpn.
i don't think you can specify a route just to go from a vpn, can you?
11-19-2010 07:06 AM
Consider this set up,
X Y
MPLS---Inside Network---- ASA---Outside/Internet---VPN Tunnel---- ASA/Router----Remote Site network
To get to the Remote site via the VPN tunnel, you obviously need to take the default route.
So, you could add a route to the remote site Network with the internet gateway on the ASA as the next hop.
Something like,
route outside 172.16.10.0 255.255.255.0 64.54.44.34 , 64.54.44.34 being the internet gateway on the ASA.
Cheers,
Nash.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide